Security Best Practices on Forge deployments

My app is coming together so I want to start securing my server that was provisioned by Forge. I have removed the phpinfo and redirected the IP to my domain but that is about it. I am hosting with AWS.

Looking for general best practices to lock things down. I am also seeking PCI references if anyone has perspective there but that is really a secondary exercise at this point.

Thanks in advance!